Hello,
There are some articles related to my problem but it didn’t help me find a solution. I would need some help to find out a way to get MC gateway working in my context.
Context: Private GKE Auto pilot clusters in peered VPC and different projects.
I am following the different documentations to enable MC Gateway and all is working except one thing. NEG is not created in the Fleet Host Project for my service imported that is configured as the backend of my Gateway/HTTPRoute… which makes the solution useless
I am creating an service on cluster_1 ( with annotation for NEG like ‘{“ingress”:true}’ → not pasting the right annotation cause it s considered as a link and I already have 2 links in my post ).
I am creating a serviceExport on Cluster_1 which triggers :
serviceImport on cluster_1 ( fleet member )
k8s endpoint creation on cluster_1
NEG entries on cluster_1
serviceImport on cluster_2 ( fleet host )
service on cluster_2
k8s endpoint creation on cluster_2
But NO NEG entries on cluster_2 are created !!
If I search for logs in cluster_1 I can see the entry : type.googleapis.com/compute.networkEndpointGroups.insert"
When I look at the logs in cluster_2 I cannot see such entry, nor do I see an error.
I am searching for mc-gateway-controller or mc-gke-importer logs, nothing shows an error or warning.
Yet my Gateway is raising an Error that the HTTProute backend cannot be found in the NEG of my cluster_2 ( Fleet host)…
One thing is that everything else is working as designed, since I am able to access my service (on cluster_1) from cluster_2 using the exposed : http://helloweb.keycloak.svc.clusterset.local:8080 .
The problem is actually the routing via NEG.
I hope someone can help me there.
Thank you
PS: I searched for any logs that could be highlighting permission denied and nothing.
Hi @Fab_T MCS is working since serviceExport/Import and DNS resolve fine, but the missing NEG in the fleet-host project usually means the gateway controller service account lacks the right IAM in the host project or required APIs aren’t enabled, so check that cloud.google.com/neg: '{"ingress": true}' is on the Service and that the service account has compute.networkAdmin (or similar) in the fleet-host project.
Thanks for your response, it helps me pinpoint the investigation and focus on the gateway controller.
I read a lot of articles on MCS and checked already many items before asking a question but it’s always good to confirm and perform the 4 eyes check.
The annotation is correct, this was something I already mentioned.
Here is a follow-up question:
If there was an issue with IAM on the service Account for Gateway controller, wouldn’t this be logged as an error?
Cause I am not seeing any tentative to create a NEG in the log of the Fleet Host Project.
At first, I noticed compute.NetworkViewer role doesn’t have the permission to create NEG, as only admin has compute.networkEndpointGroups.create … so I looked at Service Project logs (where the NEG is correctly created) and noticed the method is actually beta.compute.backendServices.insert and serviceAccount:FLEET_HOST_PROJ@gcp-sa-mcsd.iam.gserviceaccount.com has this permission. So my conclusion is that it should not be a permission error.
The only Warning that is sent by the mc-gateway-controller is the following : "error ensuring load balancer: generic::not_found: Insert: The resource 'projects xxx NEG xxx. " which to me correspond to the health check telling me the route doesn’t exist on the Host Project…
If you are working on MCS, I 'd like to have more information regarding the “status” output for ServiceImport ( couldn’t find the info ).
Here is the status for ImportService on ServiceProject:
Google support actually told us as of November 2025, there is no support for multi projects with the MCS/Gateway. It’s actually mentioned as a limitation in the documentation.
I will close this thread.
